A Single Phishing Email Cost This Company $100 Million

In 2024, the FBI's Internet Crime Complaint Center reported that phishing — often misspelled as "phising" — remained the most reported cybercrime category, with hundreds of thousands of complaints filed in a single year. But the raw numbers don't capture the gut punch of a real incident. When Facebook and Google lost over $100 million to a Lithuanian man running a phishing-based business email compromise scheme, it proved that even the most sophisticated tech companies on earth aren't immune.

If you've landed on this page searching for "phising," you're looking for the right thing. Phishing — the correct spelling — is the single most common attack vector used to breach organizations of every size. I've spent years helping organizations build defenses against it, and I can tell you this: the threat has never been more dangerous, more personalized, or more effective than it is right now in 2026.

This post is your practical guide. I'll walk you through exactly how modern phishing works, what the latest attacks look like, and — most importantly — how to build real defenses that actually stop credential theft and data breaches before they start.

What Is Phishing? (And Why Everyone Spells It Wrong)

Phishing is a social engineering attack where a threat actor impersonates a trusted entity — a bank, a boss, a vendor, a cloud service — to trick you into handing over credentials, clicking a malicious link, or downloading malware. The term comes from "fishing" for victims, with the "ph" a nod to early phone hacking (phreaking) culture.

The common misspelling "phising" actually brings tens of thousands of people to search engines every month. If that's how you got here, no judgment. What matters is that you understand the threat.

Here's what phishing is not: it's not just the poorly written Nigerian prince emails of 2005. Modern phishing campaigns use pixel-perfect replicas of Microsoft 365 login pages, AI-generated text that matches your CEO's writing style, and delivery mechanisms that bypass legacy email filters. The game has changed completely.

The $4.88 Million Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Phishing was consistently among the top initial attack vectors. That's not a theoretical number — it's the average. Some breaches cost ten times that.

In my experience, the organizations that get hit hardest are the ones that treated phishing as a "training checkbox" problem. They ran one annual awareness session, sent one phishing simulation, and called it done. That's not a defense. That's a formality.

The Verizon 2024 Data Breach Investigations Report found that the human element was involved in 68% of breaches. Phishing and pretexting — both social engineering techniques — dominated the social attack category. You can read the full report at Verizon's DBIR page. The data is clear: your people are the primary target, and they need more than a once-a-year lecture.

The 5 Types of Phishing Attacks Hitting Organizations Right Now

1. Email Phishing (The Classic)

Mass-distributed emails designed to look like they come from trusted brands. Think Microsoft, Amazon, DHL, or your payroll provider. The goal is usually credential theft — getting you to enter your username and password on a fake login page. These campaigns are cheap to run, and threat actors send millions of them daily.

2. Spear Phishing

Targeted attacks aimed at specific individuals. The attacker has done research — they know your name, your role, your recent projects. They might reference a real invoice or a real colleague. Spear phishing is how most high-value breaches begin. The 2020 Twitter hack that compromised accounts of Barack Obama, Elon Musk, and others started with spear phishing phone calls to Twitter employees.

3. Business Email Compromise (BEC)

The FBI's IC3 has repeatedly flagged BEC as the highest-dollar cybercrime category. In a BEC attack, a threat actor either spoofs or compromises an executive's email account and uses it to request wire transfers, W-2 data, or other sensitive information. The FBI reported BEC losses exceeding $2.9 billion in 2023 alone. Details are available in the FBI IC3 annual reports.

4. Smishing and Vishing

Phishing via SMS (smishing) and voice calls (vishing) are surging. You've probably received fake "your package couldn't be delivered" texts. Vishing now uses AI-generated voice clones. In 2024, a finance worker in Hong Kong was tricked into transferring $25 million after a video call with what appeared to be the company's CFO — it was a deepfake.

5. QR Code Phishing (Quishing)

This is the newest evolution. Attackers embed malicious QR codes in emails, physical mail, or even parking meters. Scanning the code takes you to a credential harvesting page. Traditional email security tools can't read QR code contents, making this attack particularly effective at bypassing filters.

How to Spot a Phishing Email: The 60-Second Check

Here's the quick-reference checklist I give to every organization I work with. Train your employees to run through these checks on any unexpected or suspicious email:

  • Check the sender's actual email address. Hover over the display name. "Microsoft Support" sending from [email protected] is a dead giveaway.
  • Look for urgency or threats. "Your account will be suspended in 24 hours" is a classic pressure tactic. Legitimate companies rarely set aggressive deadlines via email.
  • Inspect links before clicking. Hover over any link. Does the URL match the organization it claims to be from? Even one wrong character matters.
  • Watch for generic greetings. "Dear Customer" or "Dear User" instead of your actual name can signal a mass phishing campaign.
  • Question unexpected attachments. Especially .zip, .exe, .html, or macro-enabled Office files from unknown senders.
  • Verify through a separate channel. If your CEO emails asking for a wire transfer, call them directly. Don't reply to the email.

This isn't foolproof — sophisticated spear phishing can pass every one of these checks. That's why technical controls and ongoing training must work together.

Why Multi-Factor Authentication Isn't Enough (But You Still Need It)

I hear it constantly: "We have MFA, so we're covered." You're not.

Multi-factor authentication is essential. It stops a huge percentage of credential theft attacks. But threat actors have adapted. Adversary-in-the-middle (AiTM) phishing toolkits like EvilProxy and Evilginx2 can intercept session tokens in real time, bypassing MFA entirely. The attacker sets up a proxy between you and the real login page. You enter your credentials and MFA code. The attacker captures the authenticated session cookie and walks right in.

Does this mean MFA is useless? Absolutely not. It still blocks the majority of opportunistic attacks. But it means you can't rely on MFA as your only defense. You need layered security — what the industry calls a zero trust approach. Verify every access request. Assume breach. Monitor for anomalous behavior after authentication, not just at the gate.

CISA's guidance on phishing-resistant MFA — including FIDO2 security keys — is the gold standard here. You can review their recommendations at cisa.gov/mfa.

Building a Phishing Defense That Actually Works

Start with Continuous Security Awareness Training

Annual training doesn't change behavior. Monthly touchpoints do. Your employees need regular, short, scenario-based training that reflects the phishing tactics actually being used right now. Not a 45-minute video from three years ago.

Our cybersecurity awareness training program is built around this principle — short modules, real-world scenarios, updated regularly to reflect the current threat landscape. It covers social engineering, credential theft, ransomware prevention, and more.

Run Phishing Simulations (The Right Way)

Phishing simulations are one of the most effective tools in your security program — when done correctly. The goal is not to trick and shame employees. It's to build muscle memory so they recognize and report real attacks.

Good simulation programs vary the attack types (email, SMS, QR code), escalate difficulty over time, and provide immediate coaching when someone clicks. Our phishing awareness training for organizations provides exactly this — realistic, customizable simulations paired with instant feedback and tracking.

Layer Your Technical Controls

No single tool stops phishing. You need defense in depth:

  • Email authentication: Implement DMARC, DKIM, and SPF to prevent domain spoofing.
  • Advanced email filtering: Use tools that analyze URLs, attachments, and sender behavior — not just known signatures.
  • Endpoint detection and response (EDR): If a payload gets through, EDR can catch malicious behavior on the device.
  • DNS filtering: Block access to known malicious domains at the network level.
  • Phishing-resistant MFA: FIDO2 hardware keys or passkeys for high-risk accounts.
  • Zero trust architecture: Continuous verification, least-privilege access, microsegmentation.

Build a Reporting Culture

Here's something I've seen make a bigger difference than any technology: making it easy and safe for employees to report suspicious emails. Add a one-click "Report Phishing" button to your email client. Celebrate reports, even false positives. The organizations with the strongest security cultures are the ones where employees report suspicious messages within minutes — giving the security team time to pull the email from every inbox before anyone else clicks.

This is the question people are too embarrassed to ask. Here's the answer:

  • Disconnect from the network immediately. If you're on a corporate device, unplug the ethernet or disable Wi-Fi.
  • Change your passwords now. Start with the account that was targeted. Then change any account where you used the same password.
  • Enable MFA on every account that supports it, if you haven't already.
  • Report it to your IT/security team. Speed matters. The faster they know, the faster they can contain the damage.
  • Scan your device for malware using your organization's EDR or antivirus tool.
  • Monitor your accounts for unusual activity — unauthorized logins, password reset emails you didn't request, new forwarding rules in your inbox.

Don't beat yourself up. Phishing works because it exploits human psychology, not stupidity. The most important thing is how fast you respond.

Phishing Will Get Worse Before It Gets Better

AI-generated phishing emails are already harder to detect than human-written ones. Deepfake voice and video calls are no longer theoretical — they're being used in active attacks. Phishing-as-a-service platforms on the dark web let anyone with a credit card launch sophisticated campaigns.

The only sustainable defense is a combination of trained, vigilant people and layered technical controls — updated continuously as threats evolve. If your organization hasn't invested in both, you're operating on borrowed time.

Start building your defenses today. Enroll your team in cybersecurity awareness training and deploy realistic phishing simulations that turn your employees from your biggest vulnerability into your strongest sensor network. Because the next phishing email targeting your organization isn't coming next month. It's already in someone's inbox.